8,266 research outputs found
Verifying the Safety of a Flight-Critical System
This paper describes our work on demonstrating verification technologies on a
flight-critical system of realistic functionality, size, and complexity. Our
work targeted a commercial aircraft control system named Transport Class Model
(TCM), and involved several stages: formalizing and disambiguating requirements
in collaboration with do- main experts; processing models for their use by
formal verification tools; applying compositional techniques at the
architectural and component level to scale verification. Performed in the
context of a major NASA milestone, this study of formal verification in
practice is one of the most challenging that our group has performed, and it
took several person months to complete it. This paper describes the methodology
that we followed and the lessons that we learned.Comment: 17 pages, 5 figure
Model-based dependability analysis : state-of-the-art, challenges and future outlook
Abstract: Over the past two decades, the study of model-based dependability analysis has gathered significant research interest. Different approaches have been developed to automate and address various limitations of classical dependability techniques to contend with the increasing complexity and challenges of modern safety-critical system. Two leading paradigms have emerged, one which constructs predictive system failure models from component failure models compositionally using the topology of the system. The other utilizes design models - typically state automata - to explore system behaviour through fault injection. This paper reviews a number of prominent techniques under these two paradigms, and provides an insight into their working mechanism, applicability, strengths and challenges, as well as recent developments within these fields. We also discuss the emerging trends on integrated approaches and advanced analysis capabilities. Lastly, we outline the future outlook for model-based dependability analysis
Towards Realizability Checking of Contracts using Theories
Virtual integration techniques focus on building architectural models of
systems that can be analyzed early in the design cycle to try to lower cost,
reduce risk, and improve quality of complex embedded systems. Given appropriate
architectural descriptions and compositional reasoning rules, these techniques
can be used to prove important safety properties about the architecture prior
to system construction. Such proofs build from "leaf-level" assume/guarantee
component contracts through architectural layers towards top-level safety
properties. The proofs are built upon the premise that each leaf-level
component contract is realizable; i.e., it is possible to construct a component
such that for any input allowed by the contract assumptions, there is some
output value that the component can produce that satisfies the contract
guarantees. Without engineering support it is all too easy to write leaf-level
components that can't be realized. Realizability checking for propositional
contracts has been well-studied for many years, both for component synthesis
and checking correctness of temporal logic requirements. However, checking
realizability for contracts involving infinite theories is still an open
problem. In this paper, we describe a new approach for checking realizability
of contracts involving theories and demonstrate its usefulness on several
examples.Comment: 15 pages, to appear in NASA Formal Methods (NFM) 201
Architecture-Driven Semantic Analysis of Embedded Systems (Eds) Dagstuhl Seminar 12272
Architectural modeling of complex embedded systems is gaining prominence in recent years, both in academia and in industry. An architectural model represents components in a distributed system as boxes with well-defined interfaces, connections between ports on component interfaces, and specifies component properties that can be used in analytical reasoning about the model. Models are hierarchically organized, so that each box can contain another system inside, with its own set of boxes and connections between them.
The goal of Dagstuhl Seminar 12272 âArchitecture-Driven Semantic Analysis of Embedded Systemsâ is to bring together researchers who are interested in defining precise semantics of an architecture description language and using it for building tools that generate analytical models from architectural ones, as well as generate code and configuration scripts for the system.
This report documents the program and the outcomes of the presentations and working groups held during the seminar
The JKind Model Checker
JKind is an open-source industrial model checker developed by Rockwell
Collins and the University of Minnesota. JKind uses multiple parallel engines
to prove or falsify safety properties of infinite state models. It is portable,
easy to install, performance competitive with other state-of-the-art model
checkers, and has features designed to improve the results presented to users:
inductive validity cores for proofs and counterexample smoothing for test-case
generation. It serves as the back-end for various industrial applications.Comment: CAV 201
Machine-Checked Proofs For Realizability Checking Algorithms
Virtual integration techniques focus on building architectural models of
systems that can be analyzed early in the design cycle to try to lower cost,
reduce risk, and improve quality of complex embedded systems. Given appropriate
architectural descriptions, assume/guarantee contracts, and compositional
reasoning rules, these techniques can be used to prove important safety
properties about the architecture prior to system construction. For these
proofs to be meaningful, each leaf-level component contract must be realizable;
i.e., it is possible to construct a component such that for any input allowed
by the contract assumptions, there is some output value that the component can
produce that satisfies the contract guarantees. We have recently proposed (in
[1]) a contract-based realizability checking algorithm for assume/guarantee
contracts over infinite theories supported by SMT solvers such as linear
integer/real arithmetic and uninterpreted functions. In that work, we used an
SMT solver and an algorithm similar to k-induction to establish the
realizability of a contract, and justified our approach via a hand proof. Given
the central importance of realizability to our virtual integration approach, we
wanted additional confidence that our approach was sound. This paper describes
a complete formalization of the approach in the Coq proof and specification
language. During formalization, we found several small mistakes and missing
assumptions in our reasoning. Although these did not compromise the correctness
of the algorithm used in the checking tools, they point to the value of
machine-checked formalization. In addition, we believe this is the first
machine-checked formalization for a realizability algorithm.Comment: 14 pages, 1 figur
Requirements Analysis of a Quad-Redundant Flight Control System
In this paper we detail our effort to formalize and prove requirements for
the Quad-redundant Flight Control System (QFCS) within NASA's Transport Class
Model (TCM). We use a compositional approach with assume-guarantee contracts
that correspond to the requirements for software components embedded in an AADL
system architecture model. This approach is designed to exploit the
verification effort and artifacts that are already part of typical software
verification processes in the avionics domain. Our approach is supported by an
AADL annex that allows specification of contracts along with a tool, called
AGREE, for performing compositional verification. The goal of this paper is to
show the benefits of a compositional verification approach applied to a
realistic avionics system and to demonstrate the effectiveness of the AGREE
tool in performing this analysis.Comment: Accepted to NASA Formal Methods 201
Instruction-Level Abstraction (ILA): A Uniform Specification for System-on-Chip (SoC) Verification
Modern Systems-on-Chip (SoC) designs are increasingly heterogeneous and
contain specialized semi-programmable accelerators in addition to programmable
processors. In contrast to the pre-accelerator era, when the ISA played an
important role in verification by enabling a clean separation of concerns
between software and hardware, verification of these "accelerator-rich" SoCs
presents new challenges. From the perspective of hardware designers, there is a
lack of a common framework for the formal functional specification of
accelerator behavior. From the perspective of software developers, there exists
no unified framework for reasoning about software/hardware interactions of
programs that interact with accelerators. This paper addresses these challenges
by providing a formal specification and high-level abstraction for accelerator
functional behavior. It formalizes the concept of an Instruction Level
Abstraction (ILA), developed informally in our previous work, and shows its
application in modeling and verification of accelerators. This formal ILA
extends the familiar notion of instructions to accelerators and provides a
uniform, modular, and hierarchical abstraction for modeling software-visible
behavior of both accelerators and programmable processors. We demonstrate the
applicability of the ILA through several case studies of accelerators (for
image processing, machine learning, and cryptography), and a general-purpose
processor (RISC-V). We show how the ILA model facilitates equivalence checking
between two ILAs, and between an ILA and its hardware finite-state machine
(FSM) implementation. Further, this equivalence checking supports accelerator
upgrades using the notion of ILA compatibility, similar to processor upgrades
using ISA compatibility.Comment: 24 pages, 3 figures, 3 table
Proceedings of International Workshop "Global Computing: Programming Environments, Languages, Security and Analysis of Systems"
According to the IST/ FET proactive initiative on GLOBAL COMPUTING, the goal is to obtain techniques (models, frameworks, methods, algorithms) for constructing systems that are flexible, dependable, secure, robust and efficient.
The dominant concerns are not those of representing and manipulating data efficiently but rather those of handling the co-ordination and interaction, security, reliability, robustness, failure modes, and control of risk of the entities in the system and the overall design, description and performance of the system itself.
Completely different paradigms of computer science may have to be developed to tackle these issues effectively. The research should concentrate on systems having the following characteristics: âą The systems are composed of autonomous computational entities where activity is not centrally controlled, either because global control is impossible or impractical, or because the entities are created or controlled by different owners.
âą The computational entities are mobile, due to the movement of the physical platforms or by movement of the entity from one platform to another.
âą The configuration varies over time. For instance, the system is open to the introduction of new computational entities and likewise their deletion.
The behaviour of the entities may vary over time.
âą The systems operate with incomplete information about the environment.
For instance, information becomes rapidly out of date and mobility requires information about the environment to be discovered.
The ultimate goal of the research action is to provide a solid scientific foundation for the design of such systems, and to lay the groundwork for achieving effective principles for building and analysing such systems.
This workshop covers the aspects related to languages and programming environments as well as analysis of systems and resources involving 9 projects (AGILE , DART, DEGAS , MIKADO, MRG, MYTHS, PEPITO, PROFUNDIS, SECURE) out of the 13 founded under the initiative. After an year from the start of the projects, the goal of the workshop is to fix the state of the art on the topics covered by the two clusters related to programming environments and analysis of systems as well as to devise strategies and new ideas to profitably continue the research effort towards the overall objective of the initiative.
We acknowledge the Dipartimento di Informatica and Tlc of the University of Trento, the Comune di Rovereto, the project DEGAS for partially funding the event and the Events and Meetings Office of the University of Trento for the valuable collaboration
Designing Software Architectures As a Composition of Specializations of Knowledge Domains
This paper summarizes our experimental research and software development activities in designing robust, adaptable and reusable software architectures. Several years ago, based on our previous experiences in object-oriented software development, we made the following assumption: âA software architecture should be a composition of specializations of knowledge domainsâ. To verify this assumption we carried out three pilot projects. In addition to the application of some popular domain analysis techniques such as use cases, we identified the invariant compositional structures of the software architectures and the related knowledge domains. Knowledge domains define the boundaries of the adaptability and reusability capabilities of software systems. Next, knowledge domains were mapped to object-oriented concepts. We experienced that some aspects of knowledge could not be directly modeled in terms of object-oriented concepts. In this paper we describe our approach, the pilot projects, the experienced problems and the adopted solutions for realizing the software architectures. We conclude the paper with the lessons that we learned from this experience
- âŠ